Thank you for your interest in filling out a customer survey of our store.

The protection of your personal data is very important to us. That is why our goal is to ensure your right of information self-determination. Below, we explain which personal data we collect, process, and use, when, and for what purposes.

Provided that it is not otherwise stipulated in the following subsections (which are distinguished by their headings) of these General Data Protection Principles, the company:

LIDL Cyprus,

Industrial Area, 2 Pigasou Street,

CY- 7100, Aradippou – Larnaca

dataprotection@lidl.com.cy

shall be the data controller in the sense of Article 4, par. 7 of the GDPR.

2. Use of the survey tool

2.1 Protocol files

Purposes of data processing/ Legal basis:

When you visit our website, the browser used by your terminal device automatically and without your intervention sends the following information to our website’s server:

• the date and time of access,
• the name and URL of the retrieved file,
• the website/application used to gain access (address-URL),
• the browser program you use, and potentially the operating system of your internet-enabled computer,
• the access provider’s name,
• the unique user ID
• the number of your previous surveys
• the time required to respond to surveys,

where it is stored temporarily in a log file for the following purposes:

• ensuring a smooth connection,
• ensuring comfortable use of the website/application,
• exclusion of attempted fraud in surveys and
• assessing the security and stability of the system.

Keep in mind that within the first 7 days after the end of the survey there is a purely hypothetical possibility of drawing conclusions about the IP address used in Storefinder.

However, we do not make use of this feature and in addition, this is something that is prohibited by internal regulations.

The legal basis for processing the IP address is article 6, paragraph 1, letter f) GDPR. Our legitimate interest lies in the above mentioned purposes of data processing.

Recipients/ categories of recipients:

In the context of our customer survey, we employ specialized service providers, particularly in the field of customer research. They process your data on our behalf as data processors; they are carefully selected and furthermore all data controllers are contractually bound pursuant to Article 28 of the GDPR. All companies listed as providers in the below list of cookies shall act as data processors for us.

Length of data storage/ Criteria for determining the length of storage:

The log data is archived after 90 days and then deleted permanently after another 14 days.

This is necessary in order to enable a long-term evaluation of the surveys, while excluding the attempted fraud.

The data relating to the duration of the answering of the surveys are being archived after 90 days and then permanently finally deleted after a further 14 days.

This is necessary in order to establish a long-term evaluation of the surveys with the exclusion of attempted fraud.

The remaining log data are being archived after 7 days and are being permanently erased finally deleted after 14 days.

2.2 Use of cookies and similar technologies to process usage data

Purposes of data processing/ Legal basis:

We, Lidl Cyprus, are data controller for data processing activities in relation to the so-called cookies and other similar technologies for the processing of usage data in all (sub-)domains under www.lidl.com.cy

Cookies are small text files that are stored on your device (portable computer, tablet, smartphone, etc.) when you visit our website. Cookies do not damage your device and do not contain viruses, trojan horses or any other malware. Information is stored in cookies, leading to a connection with the specific device that you are using. However, this does not mean that we have direct knowledge of your identity.

The use of technically necessary cookies and other technically necessary technologies for processing usage data serves to provide data to be used in our research.

You can find an overview of information regarding the cookies and other technologies used, along with the respective processing purposes, the length of data storage, and any third-party providers that are involved, in the below list of cookies.

In the context of the use of cookies and similar technologies to process usage data, the following types of personal data are processed, depending on purpose:

• User input to preserve input in several secondary pages (e.g. saving your cookie consent).
• Authentication data to identify users following login, to allow them access to authorized. content in subsequent visits.
• Events related to security.
• Data necessary for multimedia content playback.

The legal basis for the use of technically necessary cookies is Article 6, par. 1.f) of the GDPR. We process your data based on our (concurrent) legal interest to collect data to improve our store offering.

Recipients/ categories of recipients:

In the context of processing data through cookies and similar techniques for processing usage data, we may employ specialized service providers, especially in customer surveys.

Such service providers process your data upon our order as data processors; they are carefully selected and are contractually bound for this purpose pursuant to Article 28 of the GDPR. All the companies listed in our Cookies Policy as providers operate as data processors for us.

Length of data storage/ Criteria for determining the length of storage:

The length of storage for cookies can be found in our above Cookies Policy.

3. Customer survey on shopping experience

Purposes of data processing/ Legal basis:

We collect your data in the context of our customer survey on shopping experience. Our purpose is to continuously improve your shopping experience at our stores.

We ask for your receipt number in order to ensure that each sales receipt participates in our customer survey only once. It is not possible to determine your identity based on your sales receipt, not even if you paid using a debit or credit card.

The legal basis for this processing is our concurrent legal interest to improve your shopping experience at our stores, in the sense of Article 6, par. 1.c f) of the GDPR.

We employ specialized service providers to process data, particularly in the field of customer research. These providers process your data on our behalf as data processors; they are carefully selected and are contractually bound for this purpose pursuant to Article 28 of the GDPR.

Length of data storage/ Criteria for determining the length of storage:

Your personal data will be deleted or anonymized at the latest within 90 days from your final response.

The storage period for such survey data is 12 months, and subsequently all values are compiled at the start of the corresponding month when the survey took place, so that it is impossible to make a temporal reference to survey data.

4. Contact with our Customer Service Department

Purposes of data processing/ Legal basis:

If your provide your name, email address or phone number in order to be contacted by a Customer Service representative, these data, along with your customer survey, are transmitted to our Customer Service Department solely and exclusively for the purpose of getting in touch with you. The legal basis for processing the data is Article 6, par. 1.a) f) of the GDPR.

Recipients/ categories of recipients:

We employ specialized service providers to process data, particularly in the field of customer research. These providers process your data on our behalf as data processors; they are carefully selected and are contractually bound for this purpose pursuant to Article 28 of the GDPR.

Length of data storage/ Criteria for determining the length of storage:

After you contact us, your personal data will be deleted after 90 days.

5. Competition

Purposes of data processing/ Legal basis:

To the extent that, in the context of the competition, the participants’ personal data are stored (full name, email address, street, number, post code and place of residence), such data are only used for carrying out the competition. The legal basis for processing such data is Article 6, par. 1.b) of the GDPR.

Recipients/ categories of recipients:

We employ specialized service providers to process data, who specialize in competitions. These providers process your data on our behalf as data processors; they are carefully selected and are contractually bound for this purpose pursuant to Article 28 of the GDPR.

Length of data storage/ Criteria for determining the length of storage:

After the competition is concluded and the winners’ names are announced, the participants’ personal data are deleted. The winners’ personal data are stored for delivery of their gifts for the duration of legal warranty claims, in order to organize an exchange if necessary (runners-up).

6. Transfer of data to countries outside the EEA

If we transfer data to recipients in a third country (outside the European Economic Area), you can find information regarding the recipients/ categories of recipients in the description of the respective data processing operation activity. The European Union attests that at least some third countries uphold a data protection standard that is comparable to the protection level in the European Economic Area, through the so-called adequacy decisions. You can find see a list of these countries here. If a country does not implement a comparable standard of data protection, we ensure that data protection is sufficiently guaranteed through other means. This is made possible e.g. through binding company regulations, standardized contractual provisions of the European Commission on the protection of personal data, certificates, or recognized codes of conduct. If you would like to know more about this, please contact the Data Protection Officer (Section 8).

7. Users’ rights

According to Article 15, par. 1, 3 and 4 of the GDPR, you have the right to be informed free of charge regarding personal data that we have collected concerning your person.

Furthermore, provided the statutory requirements are satisfied, you have the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), and the right to restriction of processing (Article 18 GDPR) of your personal data.

If the processing of data is based on Article 6, par. 1.e) or f) of the GDPR, you have the right to object, based on Article 21 of the GDPR. If you object to the processing of your data, such processing ceases henceforth, unless the data controller is able to prove the presence of imperative reasons meriting protection for continuing the processing, which override the legal interest that drives the data subject to object.

If you yourself have provided the data being processed, then pursuant to Article 20 of the GDPR you have the right to data portability.

If the processing of data is based on consent pursuant to Article 6, par. 1.a) of the GDPR, you can withdraw your consent at any time in with effect for the future, and this does not affect the legality of the processing up to that time.

In the above instances, and if you have any additional questions or concerns, please contact our Data Protection Officer in writing or by email.

Furthermore, you have the right at any time to lodge a complaint with the competent data protection supervisory authority of your habitual residence or to the authority where the data controller is domiciled. The competent data protection supervisory authority in Cyprus is the Office of the Commissioner for Personal Data Protection (Iasonos 1, 1082 Nicosia, Cyprus, commissioner@dataprotection.gov.cy).

8. Further questions

If you have further questions about the collection, processing and use of your personal data, please contact our company’s Data Protection Officers:

LIDL Cyprus,

Data protection department

Industrial Area, 2 Pigasou Street,

CY- 7100, Aradippou – Larnaca

dataprotection@lidl.com.cy.

Last update: 10.11.2020